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(57) Abstract 

Disclosed is a method and apparatus which includes a security computer system capable of deploying and monitoring software agents 
on one or more nodes of a network of computers. The agents on each node include a ftaniewoik agent and either a misdirection mission 
or a defensive mission. Upon an ininision detection mission sending infoimation to die security computer system indicative of an actual or 
suspected misuse or intrusion, the security computer system can automatically take countcrmeasures against the suspected or actual intrusion 
or misuse. Automatic countermeasures include using a defensive countcmncasure to increase an auditing level conducted by the intrusion 
detection mission. A misdirection countenneasure mission is used to misdirect requests of the suspected or actual intnider or misuser. An 
offensive countemieasure is used to send a chase mission to the suspected or actual intnider. The offensive chase mission can either be 
automatically dispatched with human intervention. The computer sytem includes a monitor for monitoring by a human system administrator. 
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DYNAMIC SYSTEM D EFENSE FOR 
INFORMATION WARFARE 

Field of the Invention 

The present invention relates generaUy to intrusion detection systems for 
computer systems, and more particularly, relates to intrusion detection systems 
having dynamic response cq>abilities for suppressing and automatically talcitig 
5 countenncasures against suspected and actual intruders and misusers. 



Background of the Invention 

The development of the computer and its astonishingly rapid improvement 
have ushered in the Information Age that affects almost all aspects of commerce 

10 and society. Just like the physical infiastructures that support the American 
economy, there is a highly developed computer infrastructure that supports the 
American and worldwide economy. 

Besides traditional physical threats to United States security, the security 
of the United States is also dependent on protecting the computer infrastructure 

15 that siqjports American government and industry. The computer infrastructure is 
open to attack by hackers arid others, who could potentially wreak havoc. 

The President of the United States has recognized the existence of these 
infiastructures and has created the President's Commission on Critical 
Infrastructure Protection. Tins Conunission was constituted to determine vfMch 

20 industries are critical and whedier these industries were vuhierable to cyber 
attacL The Conunission issued a report and deemed transportation, oil and gas 
production and storage, water st^jply, emergency services, government services, 
banking and finance, electrical power and telecommunicadons to be critical 
infiastnictum which rely on the computer infrastriicture. 
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A personal computer and a modem access to the Internet are all the tools 
that a computer hacker needs to conduct a cyber attack on a computer system. 
The rapid growth of a computer-literate population ensures that millions of people 
possess the skills necessary to consider a cyber attack. The computer literate 

S population includes recreational hackers ^o attempt to gain unauthorized 
electronic access to information and communication systons. These computer 
hackers are often motivated only by personal fiiscination with hacking as an 
interesting game. Criminals, and perh^ organized crime, might also a tt e m pt 
personal financial gai" through manipulation of financial or credit accounts or 

10 stealing services. Industrial espionage can also be the reason for a cyber attack on 
a competitor's computer systeriL Terrorists may attempt to use the conq)uter 
infrastructure. Other countries may use the computer infi:astructure for national 
intelligence purpose. Finally, there is the prospect of information warfitre, vAndi 
is a broad, orchestrated attempt to disrupt a United States military operation or 

1 5 significant economic activity. 

A typical secure computer network has an int^fisice for receiving and 
transmitting data between the securo network and computers outside the secure 
network. A plurality of network devices are typically behind the firewall. The 
inter&ce may be a modem or an Internet Protocol (IP) router. Data received by 

20 the modem is sent to a firewall which is a network security device that only 
allows data packets fix)m a trusted computer to be routed to specific addresses 
within Ae secure computer network. Although the typical firewall is adequate to 
prevent outsiders fipom accessing a secure network, hackers and others can often 
breach a firewall. This can occur by cyber attack where the firewall becomes 

25 overwhehned with reqtiests and errors are made permitting access to an 
unauthorized user. As can be appreciated, new ways of overcoming the security 
devices are developed everyday. An entry by an unauthorized computer into the 
secured network, past the firewall, from outside the sectire network is called an 
intrusiorL This is one type of unauthorized operation on the secure computer 

30 network. 
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Another type of unauthorized operation is called a misuse. A misuse is an 
unauthorized access by a computer within the secure network. In a misuse 
situation, there is no breach of the firewall. Instead, a misuse occurs from inside 
the secure con^>uter network. A misuse can be detected when an authorized iiser 

S pcrfomos an unauthorized, or perhaps, infrequent operation >^ch may raise the 
suspicion that the audiorized user*s computer is being misused. For example, an 
unauthorized user could obtain the password of an authorized user and logon to 
the secured network from the audiorized computer user*s computer and perform 
operations not typically performed by the authorized user. Another exanq)le 

1 0 might be where a terrorist puts a gun to the head of an authorized user and directs 
the authorized user to perform unauthorized or unusual operations. 

There are systems available for determining a breach of computer security 
\^ch can broadly be termed intrusion detection systems. Existing intrusion 
detection systems can detect intrusions and misuses. The existing security 

1 5 systems determine when computer misuse or intrusion occurs. Computer misuse 
detection is the process of detecting and reporting uses of processing systems and 
netwoiics thai would be deemed inappropriate or unauthorized if known to 
responsible parties. An intrusion is an entry to a processing system or network by 
an unauthorized outsider. 

20 These existing computer security systems have audit capabilities which 

are passive. These systems collect audit information from network devices and 
format those audits for review. Most of the existing computer security systems 
known to the inventors do not take steps to stop the misuse or intrusion after it is 
detected. Those that do take active steps are limited to logging a user off the 

25 networlc, stopping communications with that conq)Uter halting operations or other 
forms of notification such as a message to the security officer. Manual 
coimtermeasures are necessary. Once a hacker or intruder enters a critical system 
computer, even if detected, the hacker may do considerable harm before an 
operator of the system can react and initiate an appropriate, manual 

30 countermeasure, to stop the misuse or intrusion or to positively identify the 
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hacker. Thus, a need exists for a system which can automatically take defensive 
steps to stop a misuse or intrusion after it is detected. A further need exists for a 
system which can take offensive steps, either automatically or with human 
intervention, to learn more information about an intruder and perhaps disable the 
S intruder. 

Summary of the Invention 

It is, therefore, an object of the present invention to substantially 
overcome the above-identified problems and substantially fulfill the above- 
10 identified needs. 

A further object is to automatically take countermeasures against an 

intruder or misuser. 

Aru)ther object is to automatically take offensive steps against an intruder 
by sending an agent to the intruder's computer system. 

15 An additional object is to automatically take defensive steps to halt further 

intrusion or misuse. 

These and other objects of the present invention are achieved by a method 
and apparatus for receiving information that an intrusion or misuse has occurred 
and taking countOTneasures on a computer network. The computer network 

20 includes a plurality of network devices such as computers, hosts, servers and 
terminals, all coiq)led to a network communications media for monitoring the 
network for intrusion and misuse. Although a security device such as a firewall is 
typically in place to prevent intruders bom accessing the computer network, 
hackers can often gain entry to the computer network. Also, although internal 

25 users have passwords and the like, misuse of the computer network occurs ftom 
computers within the netwoA because misusers obtain the necessary passwords, 
etc. A security computer is coupled to the networic communications media and 
includes software for deploying software agents on each of the network devices, 
and monitoring and controlling the deployed agents. Each agent is a computer 
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software module which is capable of being transported from one computer to 
another under instruction from the security computer. The security computer 
receives information from agrats who perform the functions of monitoring the 
computers on the networic for misuse and intrusion and send information to the 
S security compiiter indicative of suspected or actual intrusions or misuses. The 
security computer can ihea take defensive and/or offensive measures to siq)press 
or counterattack the intruder or misuser by automatically sending defensive or 
offensive agents to the compute on which a suspected or actual intrusion or 
misuse occurred. The security computer includes a monitor for monitoring by a 
10 human system administrator. 

These and other objects of the present invention are achieved by a method 
for a computer network including receiving information, at a security computer, 
that an unauthorized operation has occurred at a computer on the network. Based 
on this information, coimtermeasures are initiated automatically, from the security 
IS computer, against ibc unauthorized operation ^lere the detCTiined uzuuithorized 
operation occurred 

These and other objects of the present invention are achieved by a method 
for a computer network including receiving information, at a security computer, 
that an unauthorized operation has occurred at a computer on the network. Based 
20 on this information, countermeasures are taken from the security computer against 
the intrusion. The countermeasures include dispatching a transferable self- 
contained set of executable instructions to the identified audited computer and 
executing the set of executable instructions on the identified audited computer to 
implmient the countermeasure. 
25 These and other objects of the present invention are achieved by a 

computer network comprising a security computer including one or more software 
modules for deploying, controlling and monitoring agents on one or more nodes 
of the computer networic. Each of the one or more computers on the computer 
networic includes a security operative which includes at least one offensive 
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mission for taking countermeasures against an unauthorized operation and a 
misdirection mission for misdirecting further unauthorized operations. 

These and other objects of the present invention are achieved by a 
computer system including a processor. A network interfoce couples computers 

5 on a computer network. A memory stores executable code for taking a 
countermeasure and is coupled to the processor. The memory has stored therein 
sequences of instructions, \s4iich, v/bea executed by the processor, cause the 
processor to perform the step of receiving information that an unauthorized 
operation has occurred on a computer on the conq)uter networic. The processor 

10 then takes countermeasures against the unauthorized operation at the audited 
computer including dispatching a transferable self-contained set of executable 
instructions to the determined computer. The computer system then causes the set 
of executable instructions to be executed on the determined computer to 
inq)lanent the coimtermeasure. 

IS These and other objects of the present invention are achieved by a security 

computer architecture including receiving means for receiving information that an 
unauthorized operation occurred on the conq}uter network. The computer 
architecture includes determining means for determining that an unauthorized 
operation has occurred at an audited computer based on the received auditing 

20 infonnation. The computer architecture includes countermeasure means for 
automatically iniriating countermeasures against an unauthorized operation at the 
audited computer. 

These and other objects of the present invention are achieved by a 
computer readable medium having agents stored thereon. The computer readable 

25 medium has stored thereon at least one data collection agent for monitoring for an 
unauthorized operation on a computer within a computer network and reporting 
bade to a security computer. The computer readable medium has stored thereon 
at least one misdirection agent for misdirecting requests by an actual or suspected 
intruder or misuser to a location in the monitored computer vAim the actual or 

30 suspected intruder obtains fisdse information. The computer readable medium has 
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stoxed thereon at least one offensive agent for taking countenneasuies gainst an 
actual or suspected intruder to prevent or suppress fiother intrusion by the actual 
or suspected intruder. 

Still other objects and advantage of the present invention will become 

S readily apparent to those skilled in the art from following detailed description, 
vs^erein the preferred embodiments of the invention are shown and described, 
simply by way of illustration of the best mode contemplated of carrying out the 
invention. As will be realized, the invention is c^[>able of other and different 
embodiments, and its several details are ca|)able of modifications in various 

10 obvious respects, all without departing from the invention. Accordingly, the 
drawings are to be regarded as illustrative in nature, and not as restrictive. 



Brief Description of the Drawings 

The present invention is illustrated by way of example, and not by 
1 S limitation, in the figures of the accompanying drawings, wherein elements having 
the same reference numeral designations represent like elements throughout and 
wherein: 

Figure 1 is a high-level block diagram of an exemplary secured computer 
netwoiic on which the present invention can be implemented; 
20 Figure 2 is a high-level block diagram of an exemplary computer system 

with which the present invention can be implemented; 

Figure 3 is a block diagram of a logical architecture of the system 
according to the present invention; 

Figure 4 is an illustration of a display screen depicting the status agents on 
25 nodes on a computer network; and 

Figure S is a diagram of a first embodiment of the invention as used on 
several fleets of trucks in a wireless network. 
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Best Mode for Carrying Out the Invention 

A method and apparatus for intrusion suppr^ion and for taking 
countenneasures according to the present invention are described. In the 
following description, for purposes of explanation, numerous specific details are 
5 set forth in order to provide a thorough understanding of the present invention. It 
will be apparent, however, that the present invaition may be practiced without 
these specific details. In other instances, well-known structures and devices are 
shown in block diagram fbim in order to avoid unnecessarily obscuring the 
present invention. 

10 Figure 1 is a blodc diagram illustrating an exen^)lary computer network 

100 including a plurality of networic devices on ^ch an embodimrat of the 
invention may be implemented. The network devices include devices such as 
hosts, servers and personal computers. The present invention is usable on such 
networks as ARCnet, Ethernets and Token-Ring networics, wireless networks, 

1 5 among other networks. The network 100, in this example, has a central network 
cable 102, also known as media, which may be of any known physical 
configuration including unshielded twisted pair (UTP) wire, coaxial cable, 
shielded twisted pair wire, fiber optic cable, and die like. Alternatively, the 
network devices could conununicate across wireless links. 

20 The network 100 includes a network server 104 coupled to the network 

cable 102 and another server 106 coupled to the network cable 102. A host 
computer 108 is coupled to the network cable 102. A terminal 1 10 is coiq)led to 
the network cable 102. A personal computer 1 12 is coupled to the networic cable 
102. Each network device 104, 106, 108, 1 10, 1 12 can also be considered a node 

25 because each device has an addressable interface on the network. As can be 
appreciated, many other devices can be coupled to the networic including 
additional personal computers, mini-mainframes, mamframes and other devices 
not illustrated or described v/bxch are well known in the art. 
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A security server 114 for implementing the intnision detection, 
suppression, and countermeasure system according to the present invention is 
coupled to the network cable 102. A firewall 116 connects the secure network 
100 to an interface 1 18. The firewall 1 16 is a combination hardware and software 

S buffer that is between the internal network 100 and external devices outside the 
internal computer network 100. The network devices within the internal network 
100 appear within the dashed lines in Figure 1, and the external devices outside 
die internal networic appeal outside the dashed lines in Figure 1. The firewall 1 16 
allows only specific kinds of messages from exterrud devices to flow in and out of 

10 the intonal network 100. As is known, firewalls are used to protect the internal 
network 100 from intruders or hackers who might try to break into the internal 
network 100. The firewall 116 is coupled to an interface 118. The inter&ce 1 18 
is external to the network 100 and can be a modem or an Internet Protocol (IP) 
router and serves to cormect the secure network 100 to devices outside the secure 

IS network. For illustrative purposes, an intruder computer system is depicted at 
130. 

Figure 2 is a block diagram illustrating an exemplary computer system, 
such as the personal computer 112 depicted in Figure 1, usable on the internal 
secure networic 100. The present invention is usable with currently available 

20 personal computers, mini-mainfiames, mainframes and the like. Although 
computer 112 is depicted in Figure 1 as a network device which is part of a wired 
local network, the computer 112 is also envisioned as being cormected to the 
network 100 by a wireless link. In this regard, the computer 1 12 is usable in the 
cockpit of an aircraft, on a ship and in moving land vehicles. It is believed that 

25 the invention described herein can readily be adq}ted for specific hardware 
configurations for each of these operating enviroimients. 

Computer system 112 includes a bus 202 or other conunimication 
mechanism for corrununicating information, and a processor 204 coupled with the 
bus 202 for processing information. Computer system 1 12 also includes a main 

30 memory 206, such as a random access memory (RAM) or other dynamic storage 
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device, coxipled to the b\is 202 for storing information and instructions to be 
executed by processor 204. Main memory 206 also may be used for storing 
ten^joiary variables or other intermediate information during execution of 
instructions to be executed by processor 204. Conq)utcr system 112 further 
5 includes a read only memory (ROM) 208 or other static storage device coiqiled to 
the bus 202 for storing static information and instructions for the processor 204. 
A storage device 210, such as a magnetic disk or optical disk, is provided and 
coupled to the bus 202 for storing information and instrucdons. 

Computer system 112 may be coi^led via the bus 202 to a display 212, 
10 such as a cathode ray tube (CRT) or a flat panel display, for displaying 
information to a computer user. An input device 214, including alphanumeric and 
other kqrs, is coupled to the bus 202 for communicating information and 
command selections to the processor 204. Another type of user ii^ut device is 
cursor control 216, such as a mouse, a trackball, or cursor direction keys for 
15 communicating direction information and command selections to processor 204 
and for controlling cursor movement on the display 212. This input device 
typically has two degrees of freedom in two axes, a first axis (e.g., x) and a 
second axis (e.g., y) allowing the device to specify positions in a plane. 

The processor 204 can execute sequences of instructions contained in the 
20 main memory 206. Such instructions may be read into main memory 206 torn 
another computer-readable medium, such as storage device 210. However, die 
computer-readable medium is not Umited to devices such as storage device 210. 
For example, the computer-readable medium may include a floppy disk, a flexible 
disk, hard disk, magnetic tape, or any other magnetic medium, a CD-ROM, any 
25 otiier optical medium, pxmch cards, pzper tape, any other physical medium with 
patterns of holes, a RAM, a PROM, an EPROM, a FLASH-EPROM, any other 
memory chip or cartridge, a carrier wave embodied in an electrical, 
electromagnetic, infrared, or optical signal, or any other medium from which a 
computer can read. Execution of the sequences of instructions contained in the 
30 main memory 206 causes the processor 204 to perform the process steps 
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described below. In. alternative embodiments, hard-wired circuitry may be used 
in place of or in combination with software instructions to implement the 
invention. Thus, embodiments of ttie invention are not limited to any specific 
combination of hardware circuitry and software. 

5 Computer system 112 also includes a communication interface 218 

coiq>led to the bus 202. Communication inter&ce 218 provides a two-way data 
communication as is known. For example, communication inter£eice 218 may be 
an integrated services digital network (ISDN) card or a modem to provide a data 
communication connection to a corresi)onding type of telephone line. As another 

10 example, communication interface 218 may be a local area network (LAN) card 
to provide a data communication connection to a compatible LAN. In the 
preferred embodiment the communication inter&ce 218 is coupled to the networic 
cable 102. tireless links may also be implemented. In any such implementation, 
communication interfisLce 218 sends and receives electrical, electromagnetic or 

IS optical signals which carry digital data streams representing various types of 
infonnation. Of particular note, the communications through communication 
interface 218 may permit transmission or receipt of the intrusion detection, 
suppression and coxmtermeasure agents for taking countermeasures against 
suspected or actual intruders or misusers. 

20 The logical architecture of one embodiment of the siq>pression and 

coimtermeasure system 250 of the present invention is illustrated in Figure 3 and 
can be implemented on the physical network described above and depicted in 
Figure 1. The suppression and countermeasure system 250 of the present 
invention includes two boiilding blocks: a service manager 260 on the network 

25 security server 114 and dispersed security operatives 320, 322, 324. As discussed 
in detail below, the network security server 114 is located on one or more 
computers in the secure network 100 and the security operatives 320, 322, 324 are 
located at remote computers within the networic 100 and dispatched, controlled 
and monitored by the security server 1 14, 
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The intnision suppression and countermeasure system of the present 
invention includes the security server 1 14 of Figure 1, the logical architecture of 
which is depicted in greater detail in Figure 3. The service manager 260 includes 
an agent communication manager 289, a message processing module 288, a 

S configuration setting module 287, an audit database 286, a s^ce request 
processor module 290, a configuration setting module 291 and a service 
communication mang^ 293. The agent communication manager 289 has 
communication protocols 280, 282, 284 for exchanging information with security 
opaatives 320, 322, 324. The service manager 260 includes message processing 

10 module 288 for receiving audits/alerts fiom agent communication manager 289. 
The m^^e processing module 288 is coiq)led to a configuration setting module 
287 and an audit database 286. The message processing module 288 sends 
information to a savice request processor module 290. The service request 
processor module 290 is coupled to a configuration setting module 291 and to a 

1 5 service communication manager 293. The service communication manager 293 is 
in turn coupled to an agent fiictory module 296, an intrusion detection interface 
module 298, a response engine module 272, a DB historical support module 300, 
a network toob module 302 and an inter manager coordinator module 304. 
Response engine module 272 provides fimctionality for determining the response 

20 that the st^>pression and coimtermeasure system should take in response to a 
threat fiom an intruder or misuser. A system security officer graphical user 
interfiice (SSOGUI) module 292 provides an interface to a human security officer. 
Modules 272, 292, 296, 298, 300, 302, 304 reside outside of the service manager 
260. The agent &ctory module 296 provides new agents that can be adapted to 

25 new situations. The intrusion detection mission interfiice module 298 provides an 
inter&ce to the intrusion detection missions 452. The DB historical support 
module 300 provides a database of historical information regarding previous 
threats and misuses and is used by the response engine module 272 in formulating 
responses. The network tools module 302 is used to change routings between 

30 modules and missions and is used to change sniffers. A computer in a snifiRng 
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mode can capture information including a packet header having the address of 
another computer. The inter manager coordinator 304 manages conununications 
to other additional service managers 260. In a wireless network without the 
firewall 1 16, the network cable 102 could be a wireless path or a combination of 
S wired and wireless paths. For example, in a non secured environment, the signal 
path 102 could be the Internet 

The service request processor module 290 dispatches the dispersed 
security operatives 320, 322, 324 to other network devices such^ as servers 104, 
106, host 108, terminal 1 10, and PC 1 12. The service request processor module 

10 290 also initiates the instantiation of the security operatives 320, 322, 324 on the 
remote computers. Each network device has a security operative residing thereon. 
For simplicity, in Figure 3, only the security operatives 320, 322, 324 are depicted 
which reside at the host 108 and PC 1 12, respectively. 

An intruder system is depicted as the block 130 in Figure 1. The intruder, 

IS by definition, must be outside the secured network. Of course, the intruder 130 
does not form a part of the present invention but is being shown for illustrative 
purposes only. The intruder is often a hacker. An intruder 130 can use a PC with 
a modem or other communication link. For purposes of this patent application, it 
can be assumed that even though the firewall 116 provides some degree of 

20 protection, hackers will be able to gain access to one or more of the devices on the 
network 100 and thus intrude into the secured network 100. By contrast, a misuser 
is using a network device from within the secured network 100. 

Each network device such as server 104, host 108 and PC 1 12 usually will 
be referred to herein as nodes. As used herein, a node is an addressable point on a 

25 network. A node can connect a computing system, a terminal, or various other 
peripheral devices to the network. Nodes 104, 108, 112, for example, can 
communicate with each other via signal path 102. 

Alternatively, instead of networicing computers 104, 108, 112 via signal 
path 102, there can be individual signal paths between each computer and the 

30 security server 114. Additionally, the security server 114 can also be in 



iSOOClD: <WO_8867a25A1_L> 



wo 99^7625 



PCTAJS99/09217 



14 

communication with a plurality of networks, each having two or more computers 
or nodes. 

As depicted in Figure 3, on each node 104, 108. 112 resides the security 
operatives 320, 322, respectively. Each security operative 320, 322, 324 includes 

5 a communication framework 410 and an agent core framework 420 and at Irast 
one mission, each of ^ch is a software module. To initially configure tiie 
communication framework 410 and 420 on the secure network 100, the service 
request processor module 290 sends configuration segments to each of tiie nodes 
on the network. These configuration segments are then instantiated on a 

10 respective node as the communication framework 410 and the agent core 
framework 420. In the presenfly preferred embodiment, the communication 
framework 410 and tiie at least one mission are each known as agents. 
Functionally, an agent is computer software, transportable over a computo* 
network from one computer to another, to implement a desired fimction on the 

15 destination computer. An agent can also be defined as a transferable self- 
contained set of executable code instructions. A response correlator 412 can 
provide some of the fimctionality of the response engine module 272. 
Advantageously, the response correlator 412 can sometimes eliminate the need 
for the remote agents 452-458 to communicate with the response engine. 

20 From a code perspective, the preferred agents are collections of Java 

classes combined with a collection of persistent objects. The communication 
framework 410 and agent core fiamework 420 are at least one of tiiese Java 
classes. Each agent also includes a collection of named objects, called the 
peisistrat store. Objects can be added and deleted from the persistent store at any 

25 time. 

All communications between nodes 104, 108, 112 occurs through a 
respective communication frameworic 410 each of which tracks objects and 
TPflin taing one or moTC agent ports. The communication framework 410 and the 
agent core framework 420, as agents, can be moved from node to node altiiough 
30 typically resides at only a single node. All communications between the message 
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processing module 288 and the nodes 104, 108, 1 12 occurs through a respective 
commxinication framework 410. 

As depicted in Figure 3, the security operatives 320, 322, 324 each include 
missions such as an audit and intrusion detection mission 452, a change audit 

5 mission 454, and a chase mission 456, \^ch are discussed in detail below. Like 
the communication framework 410, these missions preferably are Java agrats. To 
configure a mission at a coimnunication framework 410, the service request 
processor module 290 semis a reconfiguration segment to a particular node on the 
networic where the mission is to be deployed. The reconfiguration segment is 

10 then instantiated as the mission under instructions from the service request 
processor module 290. 

As will be e)q}lained below, many other missions are possible. The agents 
r^n be also written in many languages such as 0++, C and assembler and other 
languages known to those of skill in this art 

IS It should be noted that different or conunon entities may control the secure 

networic 100 and nodes 104, 108 and 112. For example, networic 100 and nodes 
108, 1 12 may be owned by one company or the military and thus are under the 
control of one entity. Alternatively, different entities may control the network 
1 00 and each of the nodes. For example, a system administmtor may control the 

20 networic 100 and each of the nodes 104, 108, 1 12 is owned by different companies 
vfho might be concerned about preventing a cyber attack and responding to a 
cyber attack. 

It is important that the communication framework 410 and agent core 
framework 420 have frill permission to use and access every resoiirce on the host 

25 computer 108 or 112, to append, delete, modify, and rewrite fil^. In a UNIX 
environment, for example, the corxmiunication frameworks 410 and agent core 
framework 420 would reside at the root access level and thus have fiill permission 
to use every resource on the host UNIX computer. The coimnunication 
framework 410 tracks missions and sends and receives them from one port to 

30 another. The conmiimication framework 410 also enables missions to 
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communicate back and forth to the server 114. The agent core framework 420 
has an open architecture and each of the missions is plugged into the agent core 
framework 420. The agent core fixunework 420 is thus able to accept diflfcrent 
and or additional missions. The agent core framework 420 can work on any 

S hardware platform such as a mainframe, mini-mainframe or personal computer 
and any operating system such as UNIX, OS/2 or Windows NT and is preferably 
coded in Java but other native languages can be used. For example, on a UNIX 
platform, C programming language would be used. 

The security server 114 can always be in communication with the 

10 communication framework 410 so long as a respective node is in a powo: on 
condition. This is important to prevent the frameworks 410 and 420 and each of 
the missions from being subverted. In this regard, the communication framework 
410 handles authentication issues. Communication between the nodes 320, 322, 
324 is encxypted and conq)ressed and a digital key is used. During a 

15 commimication between the security server 114 and the communication 
framework 410, infr)rmation is sent regarding the size of the communication. If 
the size of the conununication is larger or smaller than expected, it can be 
assumed that there is a security problem. For example, if the communication 
frmction is expecting a communication of 212 kilobits and 214 kilobits is 

20 received, then that information will not be processed by the communication 
frameworic410. 

The agent core framework 420 includes code necessary for each of the 
missions to run on a respective node 104, 108» 1 12 and locally manages each of 
the ihissions. The agent core network 420 can receive new missions from Ae 

25 service request processor module 290 and instantiate the new mission on that 
node based on instructions received from the service request processor module 
290. Instantiation is the reserving of memory space and the initializing of the new 
mission. Under instruction from the service request processor module 290 the 
agent core framework 420 can receive a mission from another node, can shut off 

30 missions on that node, and delete missions if necessary on that node. 
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Thus, the service request processor module 290 remotely controls the 
frameworks 410 and 420 and each of the missions 452, 454, 456, 458, Besides 
starting a mission by having the mission instantiated at a node, the service request 
processor modide 290 also tracks each instance of each mission. This is achieved 

5 by having the agent core firameworic 420 periodically send information to the 
service request processor module 290 regarding the currently active missions 
acting at that node. 

Once the fiameworks 410 and 420 are in place at each of the nodes, the 
service request module 290 can deploy data collection agents such as intrusion 

10 detection mission 452, and collect data from data collection agents and store the 
collected data in the audit database storage unit 286. The service request 
processor module 290 can send a new mission to a communication framework 
410 on a node as instructed by the network tools module 302. 

User profile data is stored in the audit database storage xmit 286. This data 

15 may be used to detect an intrusion. For example, a user may have access to a 
particular database but has not accessed the database for over a year. The sudden 
access of the database may be inconsistent with the user profile as determined by 
the network tools module 302. This may be an alert that a misuse might be 
occurring but because the user is performing a legal operation the network tools 

20 module 302 may direct the service request processor module 290 to increase the 
auditing level being performed by the intrusion detection mission 452 and said 
out a change atidit mission 454. 

The service request processor 290 provides for system protection which 
might include shutting down a node when a suspected intrusion occurs or when a 

25 node has been subverted. Another type of system protection may be when an 
agent or mission does not report back for a cartain period of time and it may be 
assumed that the agent or mission has been killed or subverted. Subverted means 
that the system, agent or mission has been killed or corrupted by an intruder or 
misuse. 
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The response engine module 272 analyzes collected and stored data, 
detects and characterizes intrusions and misuses, searches a countermeasure 
database v^ch is stored in the audit database storage unit 286, instructs the 
service request proc^sor module 290 to dispatch countermeasure agents, 

S monitors for intrusions and misuses, and profiles user data and stores the same in 
the audit database storage unit 286. The message processing module 288 
determines and identifies data collection requirements and instructs tiie service 
request processor module 290 to dispatch threat deflection and misinformation 
missions. Thus, advantageously, in most situations, the suppression and 

10 countermeasure system of the present invention can take automatic, and virtually 
instantaneous action to counteract an actual or suspected threat. Prior art systems 
only provide alerts to a system administrator ^o then takes action. Because 
prior art systems require human intervention, and because cyber attacks can occur 
with speed beyond that of a human, prior art systems can be circimivented before 

IS the human system administrator takes acdon. 

The monitor associated with GUI 292 of security server 1 14 displays the 
nodes and the agents and missions on each node and the status of each as depicted 
in Figure 4. As depicted in Figure 4, there are twenty-two network devices 
currently being monitored: 104, 106, 108, 110, 112. 114, 122, 124, 126, 128, 130, 

20 132, 134, 136, 138, 140, 142. 144, 146, 148, 150, 152. The monitor or interfece 
module 292 displays messages including new computers added. The monitor also 
displays alerts and current system information, sudi as an identified suspected 
intruder. If a suspected intruder is identified ^ist is not on the system, it may be 
necessary for the system administrator to obtain a warrant from the proper legal 

25 authorities before an offensive mission is sent to the suspected intruder. This is 
because the sending of an agent may constitute a legal trespass. 

Missions can be divided into three main categories. The first category is 
the **defensive'' category which includes the intrusion detection mission 452 and 
the change audit mission 454. The present invention is an intrusion siqipression 

30 and countermeasure system and uses the intrusion detection mission 452 to 
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provide information regarding suspected or actual intrusions or misuses. The 
software agents implementing these missions perform defensive activities to 
determine the possible existence of a security breach. These mi^ons are 
informational missions. Infonnation obtained from these missions can be used to 
S obtain a warrant The second mission category is the "misdirection** category 
v^ch includes the misdirection mission 458. The software agent of a 
misdirection mission redirects requests for data from a suspected or actual 
intruder or misuser, tjrpically to a dununy database that has been set up to keep 
the suspected intruder or misuser from accessing useful information. The ttiird 

10 mission category is the "offensive" category, vdiere an agent is dispatdied to a 
computer on ^^ch a suspected or actual intruder resides. Once the agent is 
deployed at the intruder's computer, an offensive agent can be used to obtain 
information about the suspected intruder or be used to disable the intruder. 

All missions report back to the message processing module 288 

1 S periodically. When the response engine module 272 detects a suspected intrusion 
or misuse or an actual intrusion or misuse, then the response engine module 272 
alerts the service request processor module 290, which request the agent fectory 
module 296 dispatch an additional mission. 

As previously mentioned, the communications framework 410 and the 

20 agent core framework 420 at each node has the intrusion detection mission 452, 
the change audit mission 454, and the chase mission 456, and on the node 1 12 the 
frameworks 410 and 420 also have the misdirection mission 458. It should be 
understood that the present invention is not limited to the exemplary missions 
described herein but many other missions and combinations of missions within 

25 each node are possible. 

The audit intrusion detection mission 452 can be a specially developed 
software program as described in a copending U.S. patent application entided 
"^Method and System for Normalizing Audit Trail Records Received from 
Heterogeneous Sources" and ^'Method and System for Detecting Intrusion into 

30 and Misuse of a Data Processing System** both of ^^ch are assigned to the 
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instant assignee and filed on even date herewith and both of which are 
incorporated by reference in their entirety into this specification. The audit and 
intrusion detection mission 452 can either (1) provide an audit trail of operations 
on the node at wdiich the mission resides and send this audit trail to the message 

5 processing module 288 or (2) detect intrusions or misuses on the node on vAich it 
resides and send an alert to the message processing module 288. An intrusion is 
an access by a computer outside the computer system or netwoA being 
monitored. A misuse is a use by a computer withm the computer system or 
network being monitored v^ch is not a normal use for that con^)uter or operator 

10 using the computer. The audit and intrusion detection mission 452 is capable of 
determining and reporting an instance of intrusion or misuse but is not capable of 
taking any significant offensive or coimtermeasure actions to prevent or halt the 
intrusion or misuse. The intrusion detection mission can take the form of 
commercially available software such as Netstalker described in U.S. Patent No. 

15 5457,742. Typically, a monitored node would have an intrusion detection 
mission 452 to monitor for intrusions and misuses. The intrusion detection 
mission 452 reports its audits to the message processing module 288 v*ich stores 
the audits in the audit database module 286. 

Some illustrative examples of intrusion and misuse arc provided but the 

20 intrusion detection mission 452 is certainly not limited to detection of these 
simple examples. Exan^)les of misuse include a computer accessing a database 
which it does not normally access. An example of an attempted intrusion includes 
a login by a computer v/tdch does not have access to the system. Another 
example would be an attempted logon which tried to login three times but fiailed. 

25 Intrusion symptoms can also include excess system calls, too many root logins, 
and system memory changes. 

The change audit mission 454 changes the audit level bemg conducted by 
the intrusion detection mission 452. This mission would have been dispatched by 
the service request processor 290 after being alerted by either the response engine 

30 module 272 or the intrusion detection mission 452 of a suspected or actual 
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intrusion or misuse.. Any type of anomalous behavior may warrant additional 
auditing of a computer node before taking any other defensive or offensive 
countenneasuies. As mentioned previously, because of the speed of a cyber 
attack, more frequent auditing may be required to detect a cyber attack once a 

5 suspected or actual intrusion or misuse is detected. 

The chase mission 456 is an offensive agent ^ch is deployed by the 
response engine module 272 or by the audit and intrusion detection module 452 
instructing the service request processor 290 to dispatch die chase mission 456 to 
the node from which the suspected intrusion is taking place. As dqncted in 

10 Figure 3 the intruder is 130. The chase mission 456 can send back to the service 
manager 260 information regarding the suspected intruder including the suspected 
intruder's address and information contained on the suspected intruder's 
computer, and other information. 

The misdirection mission 458 might include a Trojan horse" which could 

15 be downloaded to place a chase mission 456 in the suspected intruder 130. The 
Trojan horse is a subversive device placed within the computer system of the 
suspected intruder. A Trojan horse is advantageous because it is possible for a 
hacker to disguise the address where the hacker is located. Thus, it may not be 
possible to directly send the chase mission 456 to the hacker. Instead, it may be 

20 necessary to use a Trojan horse which is unknowingly downloaded by the hacker 
and thus the chase mission 456 can be sent to the computer which the hacker is 
using. The chase mission 456 will freqxiently reside within a dimuny database 
460 created by the misdirection mission 458 and will be downloaded by the 
susi)ected intruder 130 and the chase mission 456 will thus travel to the computer 

25 system of the suspected intruder. The chase mission 456 can then send 
information regarding the location of the suspected intruder and information about 
the suspected intruder to the message processing module 288. The chase mission 
456 being within the Trojan horse is very useful because it is often difficult to 
determine the address of the suspected or actual intruder. Thus, it may be 

30 necessary to have the suspected or actual intruder download the Trojan horse 
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containing the chase mission 456 to determine the address and capabilities of the 
suspected or actual intruder. 

Alternatively, the suspected intruder may download false information 
contamed in the dummy database 460 as depicted in Figure 3. The dummy 

5 database 460 also can be used to keep the suspected intruder interested v^e 
mfonnation is beii^ gathered about the suspected intruder. It may be possible to 
determine the addr^ of the suspected intruder if enough time is available to track 
down the suspected intruder without the necessity of sending om a chase mission 
456. It may also be possible to send information to the suspected intruder once 

10 the chase mission 456 is instantiated at the site of the suspected intruder. It may 
also be possible to send a chase mission 456 v^ch either destroys or disables an 
actual intruder. Most importantly, the chase mission 456 attempts to determine 
the original source of the intrusion and send that information back to the computer 
network. 

15 The suppression and countermeasure system of the present invention can 

take defensive steps to prevent or suppress unauthorized operations at nodes being 
monitored within the network 100. Advantageously, the present invention can 
also take offensive countermeasures at computers not within a monitored network 
100. 

20 Figure 5 depicts a deployment of a proposed network using the 

suppression and coimtermeasure system of the present invention. The system 
includes two monitoring systems 500, 600 each of which corresponds to tiie 
service manager 260 and associated modules discussed above with respect to 
Figure 3. 

25 There are two wireless networks NETl and NET2 used at different 

frequencies in the event that either of the service managers 260, 260' in computer 
systems 500, 600 become disabled. As depicted in Figure 5, there is a truck 700 
on which the security server 500 resides and a truck 732 on which the security 
server 600 resides. Service managers 260, 260' correspond to the service 

30 manager 260 described with respect to Figure 3. Computer system 500 includes 
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modules 286, 296, 298, 272, 300, 292, 302, 304 and computer system 600 
includes modules the same modules referenced with an asterisk. Each vehicle 
serves as a node on the two wireless system networks NETI and NET2. As 
depicted in Figure S, there is one system network NETI on >^ch communication 
S is conducted on a first frequracy. There is a second network NET2 on whidi 
communication is conducted at a second firequency. There are duree peer-to*peer 
links 720, 730, 740 within NETI and NET2 and the truck 700. The truck 700 can 
communicate over wireless links to the three other three peer-to-peer links 720, 
730, 740 in a known manner. 

10 The peer-to-peer link 720 includes a truck 722, a van 724 and a truck 726, 

each of which is in wireless communication with each other. One of the vehicles 
722, 724, 726, can serve as a central hub for commimication with the other peer- 
to-peer links 730, 740 and the truck 700. Communication firom vehicles xtot 
serving as the hub to other networks would go through the vehicle serving as the 

IS hub. Peer-to-peer communication can occur between vehicles 722, 724, 726. 

The second peer-to-peer link 730 includes a truck 732 and a van 734. As 
in the first network, peer-to-peer wireless conmiunication can occur between each 
of tiiese vehicles. One of these vehicles would serve as the hub for 
communication with other peer-to-peer links 720, 740 and the truck 700. 

20 The third peer-to-peer link 740 includes a van 742, a truck 744 and a truck 

746. As before, peer to peer wireless communication can occur between each of 
these vehicles and communication with other networks occurs with the vehicle 
designated as the central hub. Truck 732 carries the computer system 600. 

The computer systems 500, 600 on the trucks 700 and 732 can monitor 

25 each of the other vehicles in the network for intrusion or misuse as described 
above with respect to the security server 1 14 in Figure 3. Each vehicle 722, 724, 
726, 728, 734, 736, 742, 744, 746 would contain a computer system, such as that 
described above as host 112, and supporting wireless communication devices. 
Each computer system on a vehicle would have fituneworks 410 and 420 and at 

30 least one mission. As depicted in Figure 5, the van 724 includes missions 452- 
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458. Each computer system would be monitored for intrusion and misuse by 
computer systems 500, 600 as described above with respect to the security server 
1 14 on the secured network 100. All wireless communication between vehicles 
would be encrypted, but nevertheless it may be easier for an intruder to intrude 
5 into the network because of the nature of wireless communication. Should any of 
the vehicles become subverted then either computer system 500 or 600 could 
shutoflf the suspected vehicle from the rest of the network. Should either truck 
700 or 732 and the computer systems 500, 600 become subverted or destroyed, 
then the truck vAdch is not subverted or destroyed can serve as the monitor for tixe 
10 entire system to prevent further subversion. 

It should be noted that in an information warfare situation, ^^^lere many 
cyber attacks are occurring simultaneoxisly, it may be necessary to limit the 
number of nodes that a the computer system 500, 600 audits for intrusions or 
misuse because at a particular audit level, an intrusion may occur before the 
1 5 computer system 500, 600 can make a determination. 

It will be readily seen by one of ordinary skill in the art that the present 
invention fulfills all of the objects set forth above. After reading the foregoing 
specification, one of ordinary skill will be able to affect various changes, 
substitutions of equivalents and various other aspects of the invention as broadly 
20 disclosed herein. It is therefore intended that the protection granted hereon be 
limited only by the definition contained in the appended clauns and equivalents 
thereof. 
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What is Claimed Is: 

1 . A method for computer networic use, comprising: 

receiving information, at a security computer, that an imauthorized 
operation has occurred at a computer on the network; and 

initiating an automatic countermeasure, from the security computer, 
S against the unauthorized operation at the audited computer where the determined 
unauthorized operation occurred. 

2. The method of claim 1, comprising: 

auditing operations on computers on the computer networic for 
unauthorized operation and providing information from the one or more audits to 
a security computer on the network; and 
5 determining, based upon the information provided by the auditing 

step, that an unauthorized operation has occurred at an audited computer. 

3. The method of claim 1, v^erein said initiating a countermeasure step 
includes the step of sending a transferable self-contained set of executable code 
instructions for implementing the coimtermeasuie from the security computer to 
the computer on which the determined unauthorized operation occurred. 

4. The method of claim 3, Mdierein said transferable self-contained set of 
executable code is an agent 

5. The method of claim 2, wherein said auditing step is performed by an 
audit and intrusion detection mission on a computer on the networic ^^ch 
provides audit information to the security computer that an unauthorized 
operation has occurred. 

6. The method of claim 1, v^erein said initiating a countermeasure step 
includes deploying a transferable self-contained set of executable code 
instructions at the computer on which a determined unauthorized operation 
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occurred for misdirecting further unauthorized operation to a dununy database on 
5 the computer. 

7. The method of claim 6, v^erein the transferable self-contained 
executable code instruction is a misdirection agent 

8. The metiiod of claim 7, wherein the misdirection agent includes a 
Trojan horse which can be downloaded by an actual or suspected intruder ^^ch 
pof ormed the unauthorized operation. 

9. Tlie method of claim 8, vdierein the Trojan horse comprises 
transferable self-contained executable code instructions which can be instantiated 
at the actual or suspected intruder's computer under instructions fix>m the security 
computer. 

10. The method of claim 1, wh^in the unauthorized operation is a 
suspected or actual misuse performed on a computer on which said auditing step 
is being performed. 

11. The method of claim 1, v^erein the unauthorized operation is initiated 
by a computer outside the network. 

12. The method of claim 1 1, >Adierein said initiating a couutenneasure step 
includes deploying a transferable self-contained set of executable code 
instructions for implementing the countermeasure at the computer of die intruder. 

13. The method of claim 1 , comprising instantiating a self-contained set of 
executable code instructions at each of one or more audited computers on the 
network for communicating with the security computer. 

14. The method of claim 13, wherein each of the self-contained set of 
executable code instructions is a framework agent 
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15. The method of claim 1, comprising instantiating defensive and 
offensive agents at each of the one or more computers. 

16. A method for computer network use, comprising: 

receiving information, at a security computer, that an unauthorized 
operation has occurred at a conq)uter or the network; and 

taking a coimtermeasure, from the security computer, against the intrusion 
5 including dispatching a transferable self-contained set of executable instructions 
to the identified audited conq>uter, and automatically executing the set of 
executable instructions on the identified audited computer to implement the 
countermeasure. 

17. The method of claim 15. auditing computers on the computer network 
and providing information from the one or more audits to a security computer on 
the network, and determining, based upon information provided by the auditing 
step, that an imauthorized intrusion has occurred at an identified audited 
5 computer. 

18. The method of claim IS, wherein the taking a coimtemieasures step 
occurs automatically. 

19. A computer network comprising: 

a security computer including one or more software modules for 
deploying, controlling and monitoring agents on one or more computers of the 
computer network; 

S each of said one or more computers on the computer network including a 

security operative which includes: 
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at least one offensive mission for taking countermeasures against an 
unauthorized operation, and a misdirection mission for misdirecting further 
unauthorized operations. 

20. The network of claim 19, wherein the one or more software modules 
comprise: a response engine module for analyzing collected data reported by the 
defensive mission, for detecting and characterizing intrusions and misuses, for 
searching a countermeasure data base and for profiling iiser data; and a for 

5 deploying missions for tracking and controlling missions, for storing data 
collected by the defensive mission and for providing for system protection vAen a 
suspected or actual intrusion or misuse occurs, ^^li^in the response engine 
module instructs the to take coimtermeasures including deploying missions and 
shutting down computers on the network. 

21. The network of claim 19, wherein each computer includes a 
transferable self-contained set of execxitable code instmctions representing a 
framework agent 

22. The network of claim 19, v^dierein said misdirection mission includes 
a Trojan horse. 

23. The network of claim 19, wherein said defensive mission is a 
transferable self-contained set of executable code instructions and mcludes a 
change audit mission. 

24. The method of claim 19, wherein said offensive mission is a 
transferable self-contained set of executable code instmctions and includes a 
chase mission for being transferred to the suspected or actual intruder. 

25. A security system comprising: 
a processor, 

a network interface coupling computers on a computer networic; and 
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a memory coupled to said processor storing execiitable code for taking 
5 countermeasures, the memory having stored therein sequences of instructions, 
which, when executed by said processor, cause said processor to perform the steps 
of: 

receiving information that an unauthorized operation has occurred on a 
computer on the networic; 
10 taking countermeasures against the unauthorized operation including 

dispatching a transferable self-contained set of executable instriictions to the 
determined computer; and executing the set of executable instmctions on the 
determined audited computer to implement the countermeasure. 

26. A security compute: architecture comprising: 
receiving means for receiving information that an unauthorized operation 
occurred on &e computer network; 

detomuning means for detemiining that an unauthorized operation has; 

S and 

coimtermeasure means for automatically initiating countermeasures 
against an unauthorized operation at the audited computer. 

27. A computer readable medium having agents stored thereon, the agents 
comprising: 

at least one defensive agent for monitoring for unauthorized operations on a 
computer within a computer network and reporting back to a security computer, 
S at least one misdirection agent for misdirecting requests by an actual or suspected 

intruder or misuser to a location in a monitored computer where the actual or suspected 
intruder obtains &lse information; and 

at least one offensive agent for taking coxmtermeasures against an actual or 
suspected intruder to prevent or suppress further intrusion by the actual or stispected 
10 intruder. 
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28. A computer readable medium as in claim 27, further having 

executable code for 

automatically initiating countermeasures against an unauthorized 
operation at the monitored computer. 
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